Using namespace-scoped custom resources

open-appsec's default custom resources, which are used for the declarative configuration when locally managing open-appsec, are cluster-scoped custom resources, which means they are not associated with a specific namespace but instead defined on cluster level.

In certain deployment scenarios, you might only have access to a specific namespace and do not have the permission to deploy any cluster-scoped custom resources on a given Kubernetes cluster. Or you might be an MSSP who only provides one or more dedicated namespaces to your customers.

Beginning with the open-appsec CRD version v1beta2 for Kubernetes, open-appsec now supports also namespace-scoped custom resources for the configuration as an alternative to the default cluster-scoped custom resources.

Using namespace-scoped custom resources

When you deploy open-appsec using helm, you can optionally set appsec.crdsScope attribute to namespaced as shown below to configure open-appsec for applying the configuration declaratively defined in namespace-scoped open-appsec custom resources instead of the regular cluster-scoped custom resources.

helm install ... --set appsec.crdsScope=namespaced ...

open-appsec, starting with v1beta2, provides every custom resource in two versions, a cluster-scoped version and an alternative namespace-scoped version.

Once you have set crdsScope to namespaced for you open-appsec deployment as explained above, make sure to provide the desired configuration for that specific deployment using the dedicated namespace-scoped CRDs, as shown in the examples below.

Examples:

To define cluster-scoped custom resources for defining an open-appsec policy, use kind: Policy To define namespace-scoped custom resources for defining an open-appsec policy, use kind: PolicyNS

To define cluster-scoped custom resources for defining a threat prevention practice, use kind: ThreatPreventionPractice To define namespace-scoped custom resources for defining a threat prevention practice, use kind:ThreatPreventionPracticeNS

The same naming pattern applies to all other custom resource definition types which open-appsec supports for declarative configuration.

Last updated

Was this helpful?